1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

problem with XADS on windows 2000

Discussion in 'Virus & Other Malware Removal' started by mark stuart, Sep 3, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. mark stuart

    mark stuart Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    7
    Dear All,
    My computer was hijacked recently and despite all my efforts, I can't get back to the blissful state when my computer functioned properly and Mcafee worked. I removed 180 search assistant but seem to have been left a legacy of a programme called XADS. MY operating system is Windows 2000 and I am posting my Hijackthis log below. Thanks in advance for any help you can give me.

    MSH

    Logfile of HijackThis v1.98.0
    Scan saved at 1:46:19, on 04/09/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\SYSTEM32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\MsPMSPSv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    c:\program files\mcafee.com\agent\mcagent.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\WINNT\system32\carpserv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\system32\winampo.exe
    C:\WINNT\system32\netsv32.exe
    C:\WINNT\system32\yiwojh.exe
    C:\WINNT\system32\internat.exe
    C:\WINNT\system32\winampo.exe
    C:\WINNT\system32\netsv32.exe
    C:\WINNT\iDialer\Wanadoo-Tarifa Plana 24 horas Acelerador\idialer.exe
    C:\WINNT\system32\wsass.exe
    C:\WINNT\iDialer\Wanadoo Turbo\wturbo.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\user.PC\Local Settings\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eresmas.com/i2r/login2?to=www.wanadoo.es&nack=www.wanadoo.es
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eresmas.com/i2r/login2?to=www.wanadoo.es&nack=www.wanadoo.es
    O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
    O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\WINNT\iDialer\Wanadoo Turbo\pbhelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\system32\nvms.dll
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\system32\mscb.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [System Executable DLL Library] EXECDLL32.EXE
    O4 - HKLM\..\Run: [Machine Debug Manager] mdms.exe
    O4 - HKLM\..\Run: [Threaded] ntsyst32.exe
    O4 - HKLM\..\Run: [KTAX Auto Loader] ktax.exe
    O4 - HKLM\..\Run: [SysConfig] wincfg32.exe
    O4 - HKLM\..\Run: [Video Process] MSIupdate.exe
    O4 - HKLM\..\Run: [System] system32.exe
    O4 - HKLM\..\Run: [Windows Clock Configuration] windowstm.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Fix Winamp] winampo.exe
    O4 - HKLM\..\Run: [netsv32] netsv32.exe
    O4 - HKLM\..\Run: [Configuration] ntsys32.exe
    O4 - HKLM\..\Run: [rgrivruxsm] C:\WINNT\system32\yiwojh.exe
    O4 - HKLM\..\Run: [Windows WKS] wsass.exe
    O4 - HKLM\..\RunServices: [System Executable DLL Library] EXECDLL32.EXE
    O4 - HKLM\..\RunServices: [Machine Debug Manager] mdms.exe
    O4 - HKLM\..\RunServices: [Threaded] ntsyst32.exe
    O4 - HKLM\..\RunServices: [KTAX Auto Loader] ktax.exe
    O4 - HKLM\..\RunServices: [SysConfig] wincfg32.exe
    O4 - HKLM\..\RunServices: [Video Process] MSIupdate.exe
    O4 - HKLM\..\RunServices: [System] system32.exe
    O4 - HKLM\..\RunServices: [Windows Clock Configuration] windowstm.exe
    O4 - HKLM\..\RunServices: [Fix Winamp] winampo.exe
    O4 - HKLM\..\RunServices: [netsv32] netsv32.exe
    O4 - HKLM\..\RunServices: [Configuration] ntsys32.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] systemry.exe
    O4 - HKLM\..\RunServices: [Windows WKS] wsass.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [Machine Debug Manager] mdms.exe
    O4 - HKCU\..\Run: [Fix Winamp] winampo.exe
    O4 - HKCU\..\Run: [netsv32] netsv32.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0AE310EE-0A1E-46F4-B149-ED054561FB40}: NameServer = 62.36.225.150 62.37.228.20
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9E71CD56-5389-4F74-BC96-B3E2117FEC17}: NameServer = 62.42.230.135,62.42.230.136
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,870
    Please download the latest version of Hijack This 1.98.2 and be sure to save it to its own folder on your hard drive. Then post a new log please.

    Please do this. Click here: http://www.majorgeeks.com/download3155.html to download Hijack This. It’s very important that you save it to its own folder on your hard drive, such as program files (not temporary files or the desktop), so that it can create proper back-ups and be able to restore them if necessary.
     
  3. mark stuart

    mark stuart Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    7
    Dear Cookiegal,
    Followed your instructions and here is the new log.

    Logfile of HijackThis v1.98.2
    Scan saved at 16:15:10, on 04/09/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\SYSTEM32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\MsPMSPSv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\WINNT\system32\carpserv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\system32\winampo.exe
    C:\WINNT\system32\netsv32.exe
    C:\WINNT\system32\yiwojh.exe
    C:\WINNT\system32\internat.exe
    C:\WINNT\system32\winampo.exe
    C:\WINNT\system32\netsv32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Real\RealOne Player\RealPlay.exe
    C:\WINNT\iDialer\Wanadoo-Tarifa Plana 24 horas Acelerador\idialer.exe
    C:\Program Files\Real\RealOne Player\RealPlay.exe
    C:\WINNT\iDialer\Wanadoo Turbo\wturbo.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\user.PC\Local Settings\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eresmas.com/i2r/login2?to=www.wanadoo.es&nack=www.wanadoo.es
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eresmas.com/i2r/login2?to=www.wanadoo.es&nack=www.wanadoo.es
    O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
    O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\WINNT\iDialer\Wanadoo Turbo\pbhelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\system32\nvms.dll
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\system32\mscb.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [System Executable DLL Library] EXECDLL32.EXE
    O4 - HKLM\..\Run: [Machine Debug Manager] mdms.exe
    O4 - HKLM\..\Run: [Threaded] ntsyst32.exe
    O4 - HKLM\..\Run: [KTAX Auto Loader] ktax.exe
    O4 - HKLM\..\Run: [SysConfig] wincfg32.exe
    O4 - HKLM\..\Run: [Video Process] MSIupdate.exe
    O4 - HKLM\..\Run: [System] system32.exe
    O4 - HKLM\..\Run: [Windows Clock Configuration] windowstm.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Fix Winamp] winampo.exe
    O4 - HKLM\..\Run: [Configuration] ntsys32.exe
    O4 - HKLM\..\Run: [rgrivruxsm] C:\WINNT\system32\yiwojh.exe
    O4 - HKLM\..\RunServices: [System Executable DLL Library] EXECDLL32.EXE
    O4 - HKLM\..\RunServices: [Machine Debug Manager] mdms.exe
    O4 - HKLM\..\RunServices: [Threaded] ntsyst32.exe
    O4 - HKLM\..\RunServices: [KTAX Auto Loader] ktax.exe
    O4 - HKLM\..\RunServices: [SysConfig] wincfg32.exe
    O4 - HKLM\..\RunServices: [Video Process] MSIupdate.exe
    O4 - HKLM\..\RunServices: [System] system32.exe
    O4 - HKLM\..\RunServices: [Windows Clock Configuration] windowstm.exe
    O4 - HKLM\..\RunServices: [Fix Winamp] winampo.exe
    O4 - HKLM\..\RunServices: [Configuration] ntsys32.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] systemry.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [Machine Debug Manager] mdms.exe
    O4 - HKCU\..\Run: [Fix Winamp] winampo.exe
    O4 - HKCU\..\Run: [netsv32] netsv32.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0AE310EE-0A1E-46F4-B149-ED054561FB40}: NameServer = 62.36.225.150 62.37.228.20
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9E71CD56-5389-4F74-BC96-B3E2117FEC17}: NameServer = 62.42.230.135,62.42.230.136
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,870
    Go to Control Panel - Add/Remove programs and delete this if there:

    Twain-Tech


    Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

    O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll

    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\system32\nvms.dll

    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\system32\mscb.dll

    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll

    O4 - HKLM\..\Run: [System Executable DLL Library] EXECDLL32.EXE

    O4 - HKLM\..\Run: [Machine Debug Manager] mdms.exe

    O4 - HKLM\..\Run: [Threaded] ntsyst32.exe

    O4 - HKLM\..\Run: [KTAX Auto Loader] ktax.exe

    O4 - HKLM\..\Run: [SysConfig] wincfg32.exe

    O4 - HKLM\..\Run: [Video Process] MSIupdate.exe

    O4 - HKLM\..\Run: [System] system32.exe

    O4 - HKLM\..\Run: [Windows Clock Configuration] windowstm.exe

    O4 - HKLM\..\Run: [Fix Winamp] winampo.exe

    O4 - HKLM\..\Run: [Configuration] ntsys32.exe

    O4 - HKLM\..\Run: [rgrivruxsm] C:\WINNT\system32\yiwojh.exe

    O4 - HKLM\..\RunServices: [System Executable DLL Library] EXECDLL32.EXE

    O4 - HKLM\..\RunServices: [Machine Debug Manager] mdms.exe

    O4 - HKLM\..\RunServices: [Threaded] ntsyst32.exe

    O4 - HKLM\..\RunServices: [KTAX Auto Loader] ktax.exe

    O4 - HKLM\..\RunServices: [SysConfig] wincfg32.exe

    O4 - HKLM\..\RunServices: [Video Process] MSIupdate.exe

    O4 - HKLM\..\RunServices: [System] system32.exe

    O4 - HKLM\..\RunServices: [Windows Clock Configuration] windowstm.exe

    O4 - HKLM\..\RunServices: [Fix Winamp] winampo.exe

    O4 - HKLM\..\RunServices: [Configuration] ntsys32.exe

    O4 - HKLM\..\RunServices: [Configuration Loader] systemry.exe

    O4 - HKCU\..\Run: [Machine Debug Manager] mdms.exe

    O4 - HKCU\..\Run: [Fix Winamp] winampo.exe

    O4 - HKCU\..\Run: [netsv32] netsv32.exe


    Then boot to safe mode (see how below), locate and delete these files and/or folders:

    EXECDLL32.EXE - file
    mdms.exe - file
    ntsyst32.exe - file
    ktax.exe - file
    wincfg32.exe - file
    MSIupdate.exe - file
    system32.exe - file
    windowstm.exe - file
    winampo.exe - file
    C:\WINNT\system32\yiwojh.exe - file
    systemry.exe - file
    netsv32.exe

    How to restart to safe mode:
    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

    These files may be hidden so double-click on My Computer. Go to Control Panel - Tools - folder options. Click on view tab and make sure “show hidden files and folders” is checked. Uncheck “Hide file extensions for known file types”. Uncheck “hide protected operating system files”. Click Apply then O.K.

    Then reboot and post another log please.
     
  5. mark stuart

    mark stuart Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    7
    Dear Cookiegal,
    After burning the midnight lamp, all alone, I managed to remove all the hijackers. I guess I will be doing the same tonight to improve my security.
    A donation will be on its way!

    Thanks again!

    Logfile of HijackThis v1.98.2
    Scan saved at 10:15:33, on 05/09/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\SYSTEM32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\MsPMSPSv.exe
    C:\WINNT\system32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    C:\WINNT\system32\carpserv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\system32\internat.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\user.PC\Local Settings\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eresmas.com/i2r/login2?to=www.wanadoo.es&nack=www.wanadoo.es
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eresmas.com/i2r/login2?to=www.wanadoo.es&nack=www.wanadoo.es
    O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\WINNT\iDialer\Wanadoo Turbo\pbhelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9E71CD56-5389-4F74-BC96-B3E2117FEC17}: NameServer = 62.42.230.135,62.42.230.136
     
  6. mark stuart

    mark stuart Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    7
    Dear Cookiegals and guys,
    I am struggling to remove SDBOT from my computer. I did what you would normally do to remove it but it keeps reappearing and I think it represents a break in my defences, allowing others in through the backdoor, as it were.

    Thank you!

    MSH
     
  7. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Download Adaware SE http://www.lavasoftusa.com/support/download/
    The first step is updating your Ad-Aware SE. You can do this by going to the bottom right corner and clicking on the link that says "Check for Updates Now".
    Press "Continue" on the bottom right on your screen
    Next another pop-up will pop-up saying what type of update it is and what to do, press "Okay" and a download screen will come up downloading the update. Press "Finish" after the update is downloaded. Now select "Finish" then on the bvottom right of your Adaware screen click "Start".
    A new screen will pop-up and will say "Select a scan mode". You want to click "Use Custom Scanning Mode". Before you press "Start" on the bottom right click "Customize" right next to "Use Custom Scanning Mode".

    Select the following:

    In the General tab select:
    Keep it all the same

    In the Scanning tab select:
    Under Drivers Folders and Files-select Scan within archives
    Under Memory and Registry select all that is underneath it!
    Make sure your harddrive is selected when you press "Select Drives and Folders to scan"

    In the Advanced tab select:
    Make sure you have everything under the "Logfile Detail Level" selected.
    (This makes it easier for people from Lavasoft forums see what options you have selected)

    In the Startup, Defaults, and Interface tab select nothing.


    In the Tweak tab select:
    You may not be able to select certain things in the tweak tab, but do not be alarmed.
    Under scanning engine select:
    "Unload recognized processes during scanning"
    "Scan registry for all users instead of current users only"
    Under Cleaning Engine select:
    "Always try to unload modules before deletion"
    "During removal unload Explorer and IE if necessary"
    "Let Windows remove files in use at next boot"
    "Delete Quarantined objects after restoring"
    Under log files:
    "Include Basic Ad-Aware settings in log file"
    "Include additional Ad-Aware settings in log file"
    "Include reference summary in log file"
    "Include used command line parameters in log file"
    All of the other links are just fine.

    Press "Proceed" to save the settings


    Press "Next" on the bottom right hand corner.
    Ad-Aware SE will scan your computer for possible spyware threats or anything that you have on your computer that maybe spyware.
    Then click ”Next “ to remove any objects found_

    ______________________________________________________________
    Create a folder on your hard drive somewhere like in "My Documents" and name it Hijackthis
    Download 'Hijack This to its own folder http://www.dotcomsecurity.org/downloads/HijackThis.exe
    Doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log, load it in Notepad, and copy its contents here. [​IMG]

    Most of what it lists
    will be harmless or even essential, don't fix anything yet.
    __________________
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,870
    I did give you lots of homework didn't I? :D Well you get an A+ on the assignment. The log looks good now.

    How's everything running?
     
  9. mark stuart

    mark stuart Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    7
    Dear Cookiegal,
    Thanks again for your help. I'm just trying to remove SDBOT but it keeps hiding itself in other folders to which access is denied. I followed MOBY's instructions on AD AWARE, which I have been using but I think someone has gained access to my computer and can therefore see that I'm on to him/her.

    I spent the entire morning updating my service pack but I am determined to rid myself of the intruder as I view the internet as a brother and hijackers as a Davidian sect trying to put him under their control.

    Thanks again and thanks also to Moby!

    MSH
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,870
  11. mark stuart

    mark stuart Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    7
    Dear Cookiegal and MOBO,
    Thanks for your suggestions, I did all the homework set but I still have an unwelcome guest, called SDBOT.

    I keep evicting ntsv32 and Msgfix.exe but the little swines don't want to leave and they seem to occupy new files in a vain attempt to conceal themselves.

    Yours frustratingly,

    MSH
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,870
    Please post another log.
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,870
    I also merged the two threads together.
     
  14. mark stuart

    mark stuart Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    7
    Dear Cookiegal,
    My wife said that she had to delete an e-mail I sent her because her computer detected a virus. I have run adaware, I have McAfee running but it only detects SDBOT in msgfix and I've done everything to try and rid myself of these intruders.

    For what it's worth, you solved my problem with XADS.

    Many thanks,
    Logfile of HijackThis v1.98.2
    Scan saved at 23:44:08, on 08/09/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\SYSTEM32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\MsPMSPSv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\WINNT\system32\carpserv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\system32\internat.exe
    C:\WINNT\iDialer\Wanadoo-Tarifa Plana 24 horas Acelerador\idialer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\iDialer\Wanadoo Turbo\wturbo.exe
    C:\Program Files\Outlook Express\MSIMN.EXE
    c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\user.PC\Local Settings\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eresmas.com/i2r/login2?to=www.wanadoo.es&nack=www.wanadoo.es
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eresmas.com/i2r/login2?to=www.wanadoo.es&nack=www.wanadoo.es
    O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\WINNT\iDialer\Wanadoo Turbo\pbhelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0AE310EE-0A1E-46F4-B149-ED054561FB40}: NameServer = 62.36.225.150 62.37.228.20
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9E71CD56-5389-4F74-BC96-B3E2117FEC17}: NameServer = 62.42.230.135,62.42.230.136


    MSH
     
  15. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,870
    Please give me the entire path to these offending files that you're trying to get rid of.

    What happened when you did the on-line scans? Did they detect anything?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/269889

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice